• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

All things PKI, HTTPS, SSL, TLS, Digital Certificates

  • Buy SSL Certificates
  • Blog
  • Java Keytool
  • OpenSSL
  • Certificate Decoder
  • Donate

keytool list certs – How to list contents of a keystore

February 11, 2021 by Mister PKI Leave a Comment

What is Java keytool?

The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use the java keytool to list the contents a keystore. In many respects, the java keytool is a competing utility with openssl for keystore, key, and certificate management. The keytool list command will list the contents of your keystore.

Why use the Java keytool to list keystore certificates, keys, and entries?

You may want to list the certificates, keys, and keystore entries to audit the entries and ensure they are still valid for your application needs. You should ensure each entry is still necessary and ensure that the key entries are being rotated. You may also output the PEM encoded cert for inspection.

What keytool command do I use to list the contents of a keystore?

Use this command to list the contents of a keystore using the java keytool. The result will be a detailed listing of the keystore. Note that this example uses the -alias option. If -alias is not used then all contents and aliases of the keystore will be listed. This example also uses the optional -rfc switch to also display the PEM encoded certificate.

keytool -list \
> -rfc \
> -alias example \
> -keystore example.p12 \
> -storepass changeit \
> -storetype PKCS12

Again, the above java keytool list command will list the certificates (certs and cacerts) with the key entry by including the rfc flag.

A more shorthand version of the same command, not using the alias option, to show the entire contents of the keystore.

keytool -list -keystore example.p12

The output will look similar to the following:

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

example, Jan 13, 2021, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 9D:E7:F2:58:96:91:13:84:7F:AD:D7:EC:B7:8E:AD:29:47:80:FE:FB:4B:1E:7A:8D:FE:DE:63:E0:B0:5B:DB:8D

Where example, Jan 13, 2021, PrivateKeyEntry is the entry by alias, date, and entry type.

You may also include the -v flag to provide a verbose output of the keystore:

keytool -list -v -keystore example.p12

Which will display console output similar to the following:

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: example
Creation date: Jan 13, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=example.com, OU=exampleou, DC=example, DC=com
Issuer: CN=example.com, OU=exampleou, DC=example, DC=com
Serial number: 52f5b97b
Valid from: Thu Dec 19 00:00:00 EST 2019 until: Fri Dec 18 00:00:00 EST 2020
Certificate fingerprints:
	 SHA1: B2:0B:1B:3B:70:C5:F6:58:0F:19:6A:6F:45:11:55:C4:4F:CE:EE:F5
	 SHA256: 9D:E7:F2:58:96:91:13:84:7F:AD:D7:EC:B7:8E:AD:29:47:80:FE:FB:4B:1E:7A:8D:FE:DE:63:E0:B0:5B:DB:8D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C8 33 78 6A 09 D2 39 6A   79 57 EE 79 0C F1 40 05  .3xj..9jyW.y..@.
0010: B6 92 90 70                                        ...p
]
]

Java keytool options:

-rfc – Output the certificate specified by its alias in PEM format.

-alias – The alias of the entry encapsulated in the keystore. The chosen value should enhance the readability of the keystore entries, especially when the keystore contains multiple entries.

-keystore – The filename of the keystore.

-storepass – The current keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-storetype – Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.

keytool list
keytool list

Here are the official keytool docs to dive further into how to list certificate contents of the keystore. https://docs.oracle.com/javase/10/tools/keytool.htm#GUID-5990A2E4-78E3-47B7-AE75-6D1826259549__DISPLAYDATA-507D2B01

Read all of our blog content.

Uncategorized

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Recent Posts

  • keytool delete alias – How to delete an alias from a keystore
  • keytool alias -changealias – How to change a private key alias
  • SSL Certificate Expiration and SSL Certificate Renewal
  • What are SSL certificates?
  • Java SecureRandom
SSL/TLS Certificate Small Square (200 x 200)

Footer

  • Twitter
  • YouTube

Copyright © 2021 ยท Designed by North Flow Tech